After you add a website to Web Application Firewall (WAF), you can enable data risk control for the added website. Data risk control is used to protect crucial website services against attacks. These services include registrations, logons, campaigns, and forums. You can customize data risk control rules based on your business requirements.
Prerequisites
- A WAF instance is purchased. The instance meets the following requirements:
- The instance is deployed in the Chinese mainland.
- Bot Management is enabled.
- Your website is added to WAF. For more information, see Add a website.
Background information
The data risk control feature is based on Alibaba Cloud big data. This feature uses industry-leading engines for risk decision-making and is integrated with human-machine identification technologies to protect crucial services against attacks in various scenarios. To use data risk control, you need only to add your website to WAF. You do not need to configure servers or clients.
Data risk control is suitable for a wide range of scenarios. These scenarios include spam user registration, SMS flood attacks, dictionary attacks, brute-force attacks, auto-purchase bots, promotion abuse, snatcher bots, vote manipulation, and spam.
Compatibility
Data risk control is suitable only for web pages or HTML5 environments. In some cases, the JavaScript plug-in that is inserted into web pages may be incompatible with the web pages. This results in errors in slider CAPTCHA verification. The following web pages may encounter compatibility issues:
- Static web pages that you can visit by using their URLs and web pages to which you
can be redirected by modifying
location.href
, or by using thewindow.open
method or the anchor tag<a>
. The static web pages include HTML details pages, shared pages, website homepages, and documents. - Web pages where you rewrite and commit code and web pages where you submit custom requests, such as when you submit forms, rewrite XMLHttpRequest (XHR), and send custom Ajax requests.
- Web pages whose code makes use of webhooks.
After you enable data risk control, we recommend that you select the warn mode and use data risk control together with the Log Service for WAF feature. This allows you to run a compatibility test. For more information, see Overview of the Log Service for WAF feature.
To protect native apps, we recommend that you use the Anti-Bot SDK. For more information, see Configure application protection.
Procedure
After data risk control is enabled, you can use the Log Service for WAF feature to view the protection results. For more information, see View protection results.
Introduction to a protected URL
A protected URL is the endpoint that is used to perform service operations. A protected
URL is different from the URL of a web page. For example, you have a registration
page whose URL is www.aliyundoc.com/new_user
. The endpoint that you can use to obtain verification codes is www.aliyundoc.com/getsmscode
, whereas the endpoint that you can use to register is www.aliyundoc.com/register.do
.
In this example, you must add www.aliyundoc.com/getsmscode
and www.aliyundoc.com/register.do
as protected URLs. This way, WAF can protect the URLs from SMS flood attacks and
spam user registration. If you add www.aliyundoc.com/new_user
as a protected URL, common users are also required to pass slider CAPTCHA verification.
This impairs user experience.
- Protected URLs support exact match and do not support fuzzy match.
For example, if you add
www.aliyundoc.com/test
as a protected URL, data risk control filters only the requests that are sent to this URL. Data risk control does not filter the requests that are sent to the subdirectories of this URL. - Data risk control protects traffic based on website directories.
If you add
www.aliyundoc.com/book/*
as a protected URL, data risk control filters the requests that are sent to the web pages in all the subdirectories ofwww.aliyundoc.com/book
. We recommend that you do not configure data risk control to monitor the entire website. If you addwww.aliyundoc.com/*
as a protected URL, common users are required to pass slider CAPTCHA verification before they can visit the website homepage. This impairs user experience. - Requests that are sent to a protected URL always trigger slider CAPTCHA verification. Make sure that common users cannot directly request a protected URL. Common users are required to pass multi-factor authentication before they can visit the protected URL.
- Data risk control does not apply to websites that support API operations. API calls are machine actions and cannot pass the slider CAPTCHA verification of data risk control. However, if a common user clicks a button on a page to call an API operation, data risk control still works.
View protection results
You can use the Log Service for WAF feature to view the protection results.

Examples
User Tom has a website whose domain name is www.aliyundoc.com
. Common users can register as website members at www.aliyundoc.com/register.html
. Tom notices that attackers can use malicious scripts to submit registration requests
and create accounts. The accounts that are created by attackers are used to participate
in prize draws that are held by the website. The registration requests are highly
similar to normal requests, and the request rate is maintained at a normal level.
In this case, the HTTP flood protection policy cannot identify this type of malicious
request.
Configuration example
Tom adds the website to WAF and enables data risk control for the www.aliyundoc.com
domain name. The URL of the most crucial registration service is www.aliyundoc.com/register.html
. Therefore, Tom adds this URL as a protected URL.
Protection results
After the configurations take effect, data risk control inserts a JavaScript plug-in
into all web pages of the website. This allows Tom to monitor and analyze the behavior
of each user who visits www.aliyundoc.com
. The web pages into which a JavaScript plug-in is inserted include the homepage and
subpages. Then, data risk control determines whether the behavior of each user is
normal. Data risk control also determines whether a source IP address is malicious
based on the big data reputation library of Alibaba Cloud.
www.aliyundoc.com/register.html
, WAF determines whether the user is an attacker based on the user behavioral and
environmental data that is generated from the time the user visits the website to
the time the user submits the registration request. For example, if a user directly
submits a registration request and does not perform other operations before the request
is submitted, the request is identified as suspicious.
- If data risk control determines that a request is from a normal user based on the past behavior of the user, the user can register accounts without verification.
- If data risk control identifies a request as suspicious, or the source IP address
has a record that the source IP address is used to send malicious requests, slider
CAPTCHA verification is triggered to verify the identity of the user. Only a user
that passes the verification can register accounts.
If slider CAPTCHA verification captures suspicious user behavior, such as the use of scripts to simulate real user behavior to pass slider CAPTCHA verification, data risk control uses other verification methods to verify the user identity until the user passes verification. Then, the user is identified as a normal user. If the user fails the verification, data risk control blocks the request.
During this process, data risk control is enabled for the entire website (www.aliyundoc.com
). Data risk control inserts a JavaScript plug-in into all web pages of the website
to analyze user behavior. However, protection and verification are required only for
www.aliyundoc.com/register.html
to which users submit registration requests. Data risk control is triggered only
when a registration request is submitted.